Play Offense On Security In 2013: Gartner

Threats to enterprise data intrinsically evolve faster than defense mechanisms, said three Gartner analysts Monday during a security presentation at the research firm's Symposium/ITxpo in Orlando, Fla. The result, they argued, is that businesses must adapt by dropping reactive measures in favor of offensive-minded, proactive methods.

Research VP Greg Young began the presentation by saying enterprises can protect sensitive content by focusing on three main areas: infrastructure protection, or "keeping the bad guys out"; identity and access management, or "letting the good guys in"; and business continuity, compliance, and risk management, which he characterized as the policies that "keep the wheels on."

Young's portion of the talk focused on the first area, infrastructure, and also provided context for the later segments. Changes in technology, he asserted, necessitate changes in security--and not just because advances mean that attackers have gained access to more sophisticated methods. Emerging trends around software-defined networking (SDN), virtualization, and cloud computing, for instance, have rapidly changed infrastructure such that threats can hide "where we're not looking."

The difficulty, he said, stems from monitoring and security intelligence--that is, to spotting not only the blacklisted and whitelisted elements but also the "graylisted ones." These nebulous spots might be hints of a significant attack but can also be--in, say, the case of an authorized user attempting out-of-policy network access--false alarms. He mentioned the limitations of signatures and other traditional approaches in detecting new threats, arguing that security data must be collected outside "a single point of inspection." Young said reputation-based and user identity-oriented tools can "help make better sense" of what is going on in the network.

Mobility further complicates the equation, Young remarked, noting that within the next few years, 70% of mobile professionals are expected to conduct all their work on mobile smart devices. "This is inevitable," he stated, adding that BYOD is going to remain an enterprise fixture "whether you like it or not." Most risks, though, involve lost devices, not targeted attacks. Mobile device management (MDM) tools and similar controls, Young said, are consequently of the utmost importance.

Strategic infrastructure planning, he concluded, doesn't involve security that tries to take on all threats. Rather, it demands a carefully considered user-access policy to which security mechanisms can be aligned.

Gartner VP Earl Perkins focused on identity and access management. He began by citing the "Nexus of Forces," a theme introduced in a keynote earlier in the day that asserted four agents--social networks, cloud computing, mobility, and big data--are converging to shape the future of IT.

On the social networking front, he remarked that customer identities are playing an increasingly large role in the retail space, and suggested that enterprises could likewise harness this trend to improve user access management. Calling the process the "socialization of identity," he said most enterprises already build identity management programs to define entitlements and permissions. Perkins said that "maybe identities can come from somewhere else," elaborating that if these social media profiles can be encased in "an enterprise-class shell," they may become a step in enterprise security mechanisms.

Perkins spoke somewhat speculatively on this topic, referring to outcomes that might be a decade away and qualifying that they "depend on social media environments, construction, and infrastructure." Even so, the human capital management arena has already started to integrate social media for more effective user management.

The contentious matter of business access to social media content was not addressed, but possible advantages became clearer when Perkins discussed another nexus force, data. He mentioned the retail powers that Google has gained by mining user identities linked to searches, and predicted that by 2015, 80% of successful identity and access implementations will not only drive processes but also deliver intelligence. He called this trend "identity indexing" and stated that, in terms of security, "you only have control because you have the intelligence to know what you control."

As for clouds, Perkins stated that they simply involve "an end point consuming some service somewhere ... [through] an identity." This results in multiple access points, which he linked to the nexus force of mobility, and requires that user authentication keep pace. He said that identity-and-access-management-as-a-service (IDAAS) would account for 40% of cloud service sales, though, due to a high volume of small and midsize business buyers, not 40% of revenue, by 2015.

Closing with a direct look at mobility, Perkins said that user verification has grown to include not only passwords or access cards but also biometrics, and that phone-based authentication has allowed businesses to consider using one device for all three methods.

Gartner VP Paul Proctor presided over the final segment, which not only addressed risk management but also looped back to some of the policy decisions Young had outlined earlier.

He argued that risk management must be driven by processes, not a team of smart "security heroes." "Processes are cool [because they are] measurable, repeatable, and survivable," he said.

Proctor explained that these processes should not attempt to protect against everything. Such control is impossible, he stated, countering that an increased focus on employee training could mitigate the majority of problems. He echoed Young's assertion that BYOD is here to stay and said that behavioral changes are part of the solution. "The trend is becoming security as a social science," he stated.

Bringing up another behavioral shift, he argued that businesses must stop simply tallying security incidents, as the metric has no contextual value, and should instead focus on identifying protection levels appropriate to their needs. Part of this, he suggested, is based on the business's industry. Manufacturing companies possess intellectual property but relatively little personal data, he said, so they might be able to "get away with a little less protection." A bank, however, requires more protection because it is more likely to be targeted by attackers.

Nevertheless, decision makers must also consider the complexity of an organization's activities. Proctor said that a one-doctor office will need security for regulatory reasons, but that it cannot be lumped into the same category as a large hospital. "The point is," he said, "as you get more complicated, as you have more customers and more types of activities, more regulatory scrutiny and more risk--you're going to have to spend more money."

He sympathized that security officers sometimes struggle to make the case for such expenditures to the corporate powers-that-be. The key, he said, is to avoid abstract tech talk and to link needs to the profit concerns that non-IT decision makers are more likely to understand.

Proctor said this task is easier said than done, and declared that credible reports must outline causal links between a security problem and a business outcome. He suggested that the risk of outdated application patches might be self-evident to IT professionals but countered that managers typically don't understand why this issue necessitates action and expense.

An optimal approach might connect poor patching to faults in critical systems, such a slowdown in the supply chain. "That's a leading indicator that execs can understand," Proctor said.

The days of using compliance as a benchmark for risk mitigation are numbered. Business leaders must realize that although compliance is key to demonstrating the absolute minimum level of security it only goes so far in addressing the risks presented to today's enterprise.

When requesting resources, fiscal or otherwise, Infosec professionals need to be able to relay impact to the bottom line in the best\worst case scenarios. Our role is to identify and present the risk, not take the reactive, "lets get a tool to manage that" band-aid approach to security.

Unless business leaders take a proactive approach to information and technology risk they will be faced with responding to cyber security attacks/incidents and/or privacy breaches... and identifying suitably skilled resources to help them respond.

Thanks to Hurricane Sandy, I'm at a friend's home since there is no power at my home, my office, or any office in a sane driving distance of my NJ location. There are others here, too, also affected by the storm and taking advantage of the kindness. A huge part of that kindness is internet access! I work for Dell, there's an insurance agent here, and also someone who manages customer service for a small manufacturing company. We have PCs, iPads, iPhones, Android phones, and other various devices all connected to the same home router. So when the idea that professionals will demand access on the go on their smart phones and mobile devices is framed as a prediction, it feels like this disaster area is living in the future. I'm sure there is sensitive data all mixed up in the packets flying around on this network. What would the insurance firms think about that I wonder? What would Dell IT think?

This is an excellent summary of the important issues IT & security professionals will soon face in every corner of the world and in every type of business. Up to now, I've focused on thinking about that "letting the good guys in" part - IAM. I know we can meet the needs there, and our team have had long talks with Earl about how Dell's (formerly Quest's) solutions deliver on the promise of intelligence from IAM data right now - a bit of living in the future again. What I'm now seeing from the broader Dell Security perch is that Dell can talk to all the these issues. Our Dell SecureWorks offerings, which I'm currently drinking from the firehose to fully master, absolutely "keep the bad guys out". And since SecureWorks applies human intelligence to threat analysis which is then shared across all the different organizations they protect, they are doing well at staying ahead of the signature and white/black/gray-list curves. There are also MDM and other solutions in the Dell portfolio that I'm getting my head around. It makes me happy to say that the checklist you predict for everyone looks a lot like the solution portfolio that I'm getting to play with right now.

Well done. I would suggest that a new approach is available to address the body of your article. We can now not only blocking the known but the unknown or mutated events with extreme accuracy, effectiveness, and speed. In other words, the gray zone. Barrier1 has done so using advance real time algorithms at the edge and then distributing this information to it's community in minutes instead of months that present list based system are using.